Cultural change required in organisations to increase cyber security, says US Secret Service

The US Secret Service says current human factors are restricting the progression of cyber security

Ronald Layton, the deputy assistant director of the US Secret Service, said “cultural change” is needed in organisations to cut the number of cyber attacks caused by human error.

Speaking at NetEvents’ Global Press & Analyst Summit on 28 September, Layton said the concept of cyber security is still not at the forefront of most people’s minds, putting the organisations they work for at risk.

“Cyber as a discipline and an endeavour is completely new. Humans are interacting with these machines, and this is all new. So we’re having to force cultural change,” he said.

“It’s going to take us a while. When it comes to things like cyber hygiene, and how we’re going to interface from the standpoint of security and our IT systems, we’re going to get there.”

During the panel, Michael Levin, former deputy director at the US Department of Homeland Security, said employers need to educate their employees on cyber security issues, given that 70-80% of hacks can be traced back to human error.

“Whether it’s intentional or unintentional human error, we’ve got to figure out a way to reduce that risk through education and training,” he said.

“There are plenty of tools out there, but if your employees are clicking on every email link and attachment that they’re getting, something’s going to happen. Bad things are still going to happen, so we have to reduce that risk.

“Many organisations don’t want to take the time to educate their people on what they can and cannot do, and it’s so basic to the day-to-day process of any organisation.”

Layton backed this view, citing employees opening email attachments as a major source of malware attacks, which – in turn – feeds into people’s natural curiosity.

“That’s why the technique of spear phishing is so popular and so efficacious, because you’re curious. You want to see what is behind that next click,” he said.

“Of course, when you look at the analysis and the pathology of how malware gets on a system, you’re going to find that a major percentage comes from clicking on an email attachment.”

“Human factors are a significant reason why we are not further advanced in the practice of cyber security.”

In terms of who is targeting employees, MK Palmore, information security risk management executive for the FBI’s San Francisco cyber branch, said attacks tend to originate from financially motivated groups, threat actors, nation states and hacktivists.

The threat actors are often “self-taught” individuals who are between the ages of 14 and 32 and thrive on being unknown, with their ability to retain their anonymity proving problematic for law enforcers.

“It presents a problem for those of us on the law enforcement end of the spectrum in terms of our ability to close the gap, define attribution and ultimately get these folks into the US criminal justice system,” said Palmore.

The nation states groups also present a significant danger as they have the most ability and can work with the threat actors, added Palmore.

“They tend to be the most complex in terms of their capabilities, and most capable. We’ve seen, through the course of investigations, a combination of criminal threat actor activity with nation states, basically creating what I like to call a ‘super-team’ of cyber threat activity,” he said.

Aside from educating users, Layton and Palmore said patch management, at a low-level, is essential for improving corporate security, with Palmore describing it as an “information security fundamental”.

“When you go through information security training, or formal standardisation in terms of certifications, there are basics that you’re taught about protecting systems and protecting information,” he said.

“In the post-mortems of these investigations that my teams conduct, we always find that there’s some gap in the coverage of the security of that particular network that boils down to a fundamental issue of security protection.”